With a managed network in place in tier two, a lot has been done to secure your endpoints from attack. However, some businesses will need to assess whether the protection that has been achieved thus far is adequate to safeguard business data that has critical value, or is highly sensitive or highly regulated. In the third tier of this risk assessment, I turn to specific business use cases that demand tailor-fit protection.
Use Case 1: Protect against ransomware
Certain classes of small and medium-sized businesses, such as government and military contractors, healthcare clinics and practices, private investigative businesses, legal firms, etc., are often in possession of critical data that should never be compromised. Such high-value data represents a tantalizing opportunity for ransomware gangs who are looking to yield high gains for their time and effort invested.
An effective way of increasing pressure on businesses to pay up is through tactics such as doxing and “auction houses,” which require the criminals to steal the data before encrypting it. Businesses that refuse to pay the ransom for the decryption key(s) are then threatened that their data will be sold. That is exactly what happened to the law firm Grubman Shire Meiselas & Sacks, when Sodinokibi (aka REvil) ransomware operators reportedly stole 756 GB of data and threatened to auction it off, starting with the data from celebrities such as Nicki Minaj, Mariah Carey and LeBron James.
Businesses that have a low tolerance for loss of reputation or possess highly confidential data would greatly benefit from having a bulletproof solution against ransomware, such as ESET Dynamic Threat Defense. A powerful, cloud-based sandbox, ESET Dynamic Threat Defense uses high-performance cloud instances to run a machine learning engine that can analyze samples submitted from your environment for ransomware.
Use Case 2: Protect data from prying eyes
Data that is not encrypted is data that is open to the easy purview of any intruder. This applies especially to both email communication and physical access to data. Without encryption, hackers and thieves that get their grubby hands on emails, hard drives or USB devices can easily read their contents.
So, don’t email your patented work, blueprints, research and other sensitive communications without encrypting them first. If employees are allowed to use portable storage devices to transfer company data, make sure those devices are always encrypted. You don’t want to become the next news story about how an unencrypted storage device with patients’ medical data was found in a parking lot.
Using a solution like ESET Endpoint Encryption, which provides various options and features for email and file encryption, not only builds trust in your company’s data handling practices, but also prevents data breaches and fines levied for violations of the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and other data privacy legislation.
In order to protect company data stored on the hard drives of work desktops and laptops, employees should make sure to shut them down at the end of work hours. Solutions like ESET Full Disk Encryption render any data on a turned-off machine unreadable by encrypting it. In order to decrypt and read the data, employees are required to enter a password before operating system startup.
This can greatly limit the impact of a data breach in the case of home or office break-ins and thefts, since the data on stolen and tampered-with machines remains unreadable without knowing the password. According to article 34 of GDPR, there is no requirement to communicate a personal data breach to affected data subjects when the data is encrypted.
Use Case 3: Protect IT administrator and business owners’ accounts
The most desirable targets of social engineering attacks are the administrator accounts in your company. Administrators have special admin tools and privileged levels of access that enable them to perform management tasks quickly and easily.
In a common social engineering attack, an administrator will receive a phishing email with a link that opens to a fake login page. Should an admin enter their credentials and attempt to “authenticate,” the page will usually respond with an error message while also sending the victim’s credentials to the phishing operators.
With admin credentials in hand, the operators can now authenticate as admins and use the company’s admin tools to do a lot more damage. In fact, that seems to be one of the explanations for the recent takeover of high-profile Twitter accounts, including those of Joe Biden, Elon Musk, Bill Gates and Jeff Bezos.
If, however, companies require their admins to doubly protect their logins with a multi-factor authentication (MFA) solution like ESET Secure Authentication, merely stealing the password is no longer enough for a phishing attack to succeed. A hacker would either have to bypass the MFA mechanism or steal the authentication code in some way.
In other words, MFA ups the ante on hackers. Businesses should strongly consider prioritizing authentication protection for their IT admins, as well as for business owners’ accounts (who often have admin privileges).
Balancing specific risks against available budget for your IT security is no easy task. Sometimes, considering how much a data breach or attack would cost your business can help you to decide what needs to be done. Especially for small businesses, one attack can do enough damage to close the business down. However, establishing which tier of risk you can handle, and then making the appropriate investment to get your IT security on par, can help you understand how prepared you are for the moment when an attack arrives.
written by Rene Holt, ESET